Re: Port forwarding/open ports

exciteman · ‎2019-10-25

Hey. I need some help with port forwarding/NAT-rule. Some of the users in our network is using Playstation 4 in their free time. They say that they are unable to play some games because of strict NAT type on the PS4. They have asked to open/forward these ports:

TCP: 80, 443, 1935, 3478-3480

UDP: 3478-3479

How can i do this, for one specific network/IP range (we are running a couple VLANS that goes out on the same WAN)? Or are there any other ways for me to fix this, other ways to do the NAT on this specific LAN, etc.? We are running R80.30 on security gateway and management.

Thanks:)

Nick_Doropoulos · ‎2019-10-26

Hello,

Can I confirm that the interesting traffic here is only outbound? If it is, you should be able to achieve the intended result with Hide NAT only along with an accompanying firewall rule as follows:

- Create the necessary service objects if they don't already exist (TCP:1935, 3478-3480, UDP: 3478-3479).

- Ensure that the PS4 users exist as a network object with the Hide NAT checkbox enabled.

- Create a firewall rule with the PS4 users as the source, the relevant IP addresses as destination and the service objects above under services with the action to allow.

- Install policy and verify results.

I hope this helps.

Markus_Genser · ‎2019-10-28

Hello,

regarding the open / strict NAT.

In addition, you need to create a manual hide NAT for the network with the Static option instead of Hide for the Check Point Firewall to keep the original source port of the PS4.

It seems that Sony and Microsoft (for XBOX) server compare the packet and the content source port.

No inbound NAT or open ports are needed.

Regards,

Markus

exciteman · ‎2019-10-28

Hey. Thanks for the input. However, I do not fully understand what you mean.

Here is a screenshot of the current NAT-settings for the network:

If I set translation method to "Static", it asks what IP adress to translate to. What should this be? It also asks for IPv6 address, but we do not use IPv6 on this network.

Do I need to change anything in the NAT policy?

There are multiple PS4's on the network, just FYI.

Markus_Genser · ‎2019-10-29

Hello,

I've meant a manual static NAT like this, no automatic hide NAT on the network itself.

Like this example.

I haven't tested it with multiple consoles in the same network.

In Microsofts case you dan set a port on the device itself, but I would test it if that NAT rule is sufficient.

Regards

exciteman · ‎2019-10-29

Yeah, that makes sense. However, when i set up the NAT-policy like you said, i get the following error when i try to install the policy:

Any suggestions?

Markus_Genser · ‎2019-10-29

Hello,

Oh i think that could come from the fact that you need the same amount for static NAT addresses as for the sources.

Just try to allow a single PS4 IP address and see if the basics are working.

Regards

slonkak · ‎2020-04-27

Does anyone know how to do this on a 620? My interface looks nothing like what was posted above. I turned off the master "hide internal networks behind the Gateway's external IP address" button but when I try to manually make a NAT rule I don't get "This Gateway" as an option for Translated Source. I thought I would make a rule that looked like this:

Original source: Home (group for 192.168/16)

Original dest: Any

Original Service: Any

Translated Source: This Gateway (this isn't an option)

Translated Dest: Original

Translated Service: Original

I was hoping that would create a SNAT situation but since I can't make a rule like that I'm not sure how to do this on the 620. I see there are more NAT options on the Servers page but that's only for a single IP, not a network.

PhoneBoy · ‎2020-04-27

On the SMB appliances create "Server" objects to do port forwarding, particularly for the gateway's external IP.

slonkak · ‎2020-04-27

I see all of the options for external->internal NAT'ing, but I don't see any options on the SMB for internal->external NAT'ing, specifically "disable source port remapping", which is what I need for this 1 device. I was hoping to find a way to do this via ssh or expert mode, but there is no documentation available to me on either so I'm stuck...

PhoneBoy · ‎2020-04-27

You need to do a 1-1 static NAT if you don't want the source port to change.
HIDE NAT always changes the source port and there's no way I'm aware of to prevent it.

slonkak · ‎2020-04-27

The static option on the SMB requires me to input the IP address for the static NAT, which means every time my ISP IP address renews I'll have to modify the Server to make it work again. Is there any way to make it use "This Gateway" or something where it will automatically use whatever WAN address the SMB gets?

Are you a member of CheckMates?

Port forwarding/open ports